Basic Algorithms in Number Theory

Transcription

1 Basic Algorithms in Number Theory Joe Buhler, Stan Wagon July 29, 2007 Abstract A variety of number-theoretic algorithms are described and analyzed with an eye to providing background for other articles in this volume. Topics include Euclid s algorithm, continued fractions, factoring, primality, modular congruences, and quadratic fields. 1 Introduction Our subject combines the ancient charms of number theory with the modern fascination with algorithmic thinking. Newcomers to the field can appreciate this juxtaposition by studying the many elementary pearls in the subject. The aim here is to describe a few of these gems with the combined goals of preparing the reader for subsequent articles in this volume, and luring him or her into pursuing full-length treatments of the subject, such as [2], [5], [10], [9], [16], [15], [37]. Many details will be left to the reader, and we will assume that he or she knows (or can look up) basic facts from number theory, algebra, and elementary programming. 2 Complexity, informally Algorithms take input and produce output. The complexity of an algorithm A is a function C A (n), defined to be the maximum, over all input I of size n, of the cost of running A on input I. Cost is often measured in terms of the number of elemental operations that the algorithm performs and is intended, in suitable contexts, to approximate running time of actual computer programs implementing these algorithms. A formalization of these ideas requires precise definitions for algorithm, input, output, cost, elemental operation, and so on. We will give none. Instead, this section gives a series of algorithms answering number-theoretic questions, and then discusses their complexity. This permits a quick survey of some algorithms of interest in number theory, and a discussion of complexity theory from a naive number theorists point of view. Fortunately, this informal and intuitive approach to complexity is usually sufficient for purposes of algorithmic number theory. Precise 1

2 foundations can be found in many texts on theoretical computer science or algorithmic complexity [13], [17] [19]. The first problem arises in elementary school. Problem 1. Multiplication: Given integers x and y, find their product xy. As stated, the question is woefully imprecise. We interpret it in the following natural (but by no means only possible) way. An algorithm to solve this problem takes the base b > 1 representation of integers x and y as input, given as strings of symbols. The algorithm (idealized computer program or Turing machine) follows a well-defined ( deterministic ) procedure to produce a string of output symbols which is the base b representation of the product xy. In practice, one might expect b to be 2, 10, 2 32, 2 64, etc. The natural notion of the size of an integer x is the total of the number of symbols (base b digits) in the input, perhaps augmented by a small constant to delimit the number and give its sign. For the sake of definiteness, we define the base-b size of x to be size b (x) := 1 + log b (1 + x ), where log b is the logarithm to the base b, and u is the ceiling of u the smallest integer greater than or equal to u. The size of an integer x is O(log( x )), where g(x) = O(f(x)) is a shorthand statement saying that g is in the class of functions such that there is a constant C such that g(x) C f(x) for sufficiently large x. Note that O(log b (x)) = O(log b (x)) for b, b > 1. In particular, if we are interested in complexity only up to a constant factor, the choice of b is irrelevant. The multiplication algorithm that we all learned as youngsters takes O(n 2 ) digit operations on input of size n. More precisely, if x and y have size at most n, then approximately n 2 digit-sized multiplications, and n additions of n-digit intermediate products are required. Notice that the O() notation gracefully summarizes the running time of the algorithm; e.g., the complexity O(n 2 ) is independent of base b, precise details of measuring the size of an integer, the definition of size of two inputs (as the maximum of the two integer inputs, or the total of their sizes), etc. An algorithm is said to take polynomial time if for some k its complexity is O(n k ) for input of size n. Although this is a very flexible definition, with unclear relevance to computational practice, it has proven to be remarkably robust. In fact, it is sometimes reasonable to take polynomial time as synonymous with efficient, and in any case the notion has proved useful in both theory and practice. Of course, once it is known that a problem can be solved in polynomial time, it is interesting to find the smallest possible exponent k. For instance, in the 1970 s Schönhage ([30]) discovered a striking algorithm for Multiplication that takes time O(n log(n) log log(n)) to multiply two n-digit integers. This unexpectedly low complexity led to a number of related fast algorithms; see [4] in this volume for arithmetic and algebraic examples. The elemental operations above are operations on single digits. The resulting notion of the complexity (running time) of an algorithm is called bit complexity, since if b = 2 then the underlying operations act on bits. In other contexts it might be more useful to assume that any arithmetic operation takes constant time (e.g., if all integers are 2

3 known beforehand to fit into a single computer word). When complexity of an algorithm is defined by counting arithmetic operations, the result is said to be the arithmetic complexity of the algorithm. In this model the cost of a single multiplication is O(1), showing that complexity depends dramatically on the underlying computational model. Problem 2. Exponentiation: Given x and a nonnegative integer n, compute x n. Again, problem is underspecified. We will assume that x is an element of a set that has a well-defined operation (associative with an identity element) that is written multiplicatively; moreover, we will measure cost as the number of such operations required to compute x n on input x and n. We take the size of the input to be the size of the integer n. Although x 16 can be computed with 15 multiplications in an obvious way, it is faster to compute it by 4 squarings. More generally, the binary expansion n = a i 2 i, a i {0, 1} implies that x n = x a 0 (x 2 ) a 1 (x 4 ) a4, (1) which suggests to a clever way to interleave multiplications and squarings: Right-to-left Exponentiation Input: x as above, and a nonnegative integer n Output: x n 1. y := 1 2. While n > 0 if n is odd, y = xy (a i is 1) x := x 2, n := n/2 3. Return y Here := denotes assignment of values to variables, 1 denotes the identity for the operation, and the floor u is the largest integer less than or equal to u. The correctness of the algorithm is reasonably clear from (1) since for k 0, x 2k is multiplied into y if and only if the k-th bit a k bit of the binary expansion of n is nonzero; it can proved more formally by showing by induction that at the beginning of Step 2, X N = x n y is true, where X and N denote the initial values of the variables x and n. When n is 0 equation says that X N = y, so that y is the desired power. The usual inductive definition of Exp(x, n) := x n gives an obvious recursive algorithm: 1 if n = 0 Exp(x, n) = Exp(x 2, n/2) if n > 0 is even (2) x Exp(x 2, (n 1)/2) if n is odd. Experienced programmers often implement recursive versions of algorithms because of their elegance and obvious correctness, and when necessary then convert them to equivalent, and possibly faster, iterative (non-recursive) algorithms. If this is done to the recursive program, the result is to Right-to-Left algorithm above. Curiously, if the clause for even n is changed to the mathematically equivalent Exp(x, n) = Exp(x, n/2) 2, n even 3

4 (and similarly in the odd clause) then the corresponding iterative algorithm is genuinely different. Left-to-Right Exponentiation Input: x, a nonnegative integer n, and a power of two m such that n < m Output: x n 1. y := 1 2. While m > 1 m := m/2, y := y 2 If n m then y := xy, n := n m 3. Return y Correctness follows inductively by proving that at the beginning of Step 2, n < m and y m x n = x N. In contrast to the earlier algorithm, this version consumes the bits a i (in the binary expansion of n) starting with the leftmost, i.e., most significant, bit. The complexity of any of the versions of this algorithm (collectively called Exp in the sequel) is O(log(n)) since the number of operations is bounded by 2 size 2 (n). This remarkable efficiency is put to innumerable uses in algorithmic number theory, as will be seen. Note that the naive idea of repeatedly multiplying by x takes time O(n), which is exponential in the size of the input. Remark 3. In a specific but important special case the left-to-right version of Exp is better than the right-to-left version. Suppose that our operation is multiplying modulo n and that x is small relative to N. Then multiplications by the original x are likely to take less time than modular multiplications by an arbitrary integer X, 0 X < N. The left-to-right version preserves the original x (though the squarings involve arbitrary integers), whereas the right-to-left version modifies x and hence performs operations on arbitrary elements. In other words, with a different computational model (bit complexity, with the specific underlying operation multiply modulo N, and x assumed small) the left-to-right algorithm, either recursive or iterative, is significantly better than right-to-left exponentiation. Remark 4. To yet again highlight the dependence on assumptions, if the operation that we are considering is multiplication of integers, complexity is measured in terms of bit operations, and size of the input is defined to be the size of n plus the size of x Z, then the size of the output is exponential in the input size, so that any algorithm will be inefficient. This discussion scratches the surface of a great deal of theoretical and practical work. The overwhelming importance of exponentiation has led to many significant practical improvements; perhaps the most basic is to replace the base 2 expansion of n with a base b for b a small power of 2. On the theoretical side, there are many interesting results on finding the absolutely smallest possible number of operations required to compute x n ([16]). Problem 5. GCD: Given integers a and b, return the largest integer that is a divisor of both a and b. 4

5 The greatest common divisor (GCD) is denoted gcd(a, b). Perhaps the most famous number-theoretic algorithm of all is due to Euclid. Using gcd(0, a) = a and gcd(±a, ±b) = gcd(a, b) it suffices to find the GCD of positive integers. Euclid s Algorithm Input: Positive integers a and b Output: gcd(a, b) While b > 0 {a, b} := {b, a rem b} Return a Here r = a rem b is the remainder when a is divided by b, i.e., the unique integer r such that there is a q with a = qb+r, 0 r < b. The simultaneous assignment statement {a, b} = {b, a rem b} would be implemented in a more prosaic programming language by something along the lines of the three statements temp := b, b = a rem b, a = temp. The correctness of the algorithm can be verified by showing that the GCD of a and b doesn t change at each step of the algorithm. Just as with multiplication, the remainder a rem b can be found in time log 2 (max(a, b)) with straightforward algorithms, and time log 1+ɛ (max(a, b)) for any positive ɛ if asymptotically fast algorithms due to Schönhage and Strassen are used. It isn t too hard to work out that a > b after one step of the algorithm, and then the smallest number is halved in (at most) two steps of the algorithm. This means that the number of times that the loop is executed (i.e., the number of remainder operations) is bounded by O(log(max(a, b)). Thus the algorithm is efficient using either arithmetic or bit complexity. We will have much much more to say about Euclid s algorithm later. If gcd(a, b) = 1 then a and b are said to be relatively prime, or coprime. Problem 6. Primality: Given a positive integer n > 1, is n is a prime? The is an example of a decision problem, for which the output is either yes or no. Perhaps the most straightforward algorithm for Primality is the trial division method: for d = 2, 3,... test whether n is divisible by d. If divisibility holds for d n then n is composite (non-prime); if n is not divisible by any d n then n is prime. The time required is O( n), which is an exponential function of the size of n, and this algorithm is impractical for for even moderately large n. Fermat s Little Theorem says that if n is a prime and a is coprime to n then a n 1 1 mod n. It is very efficient to check this condition using Exp. In the favorable circumstance in which the prime factorization of n 1 is known this can be used to prove primality via the following result. Theorem 7. If a and n are integers such that a n 1 1 mod n, and a (n 1)/q 1 mod n for all prime divisors q of n 1, then n is prime. 5

6 Proof. Let ord(a) denote the order of a in the multiplicative group (Z/nZ) of integers coprime to n, modulo n. The condition a n 1 1 mod n implies that ord(a) is a divisor of n 1. Any proper divisor of n 1 is a divisor of (n 1)/q for some prime q. The second condition of the theorem says that ord(q) does not divide (n 1)/q for any q, and we conclude that ord(a) = n 1. Thus (Z/nZ) has n 1 elements and n is a prime, as claimed. A generalization of this theorem due to Pocklington says that only a partial factorization of n 1 is necessary: if m is a divisor of n 1 with m > n, then n is a prime if a n 1 1 mod n, and a (n 1)/q 1 mod n for prime divisors of m. Loosely, this says that primality is easy to test if n 1 is half-factored. Unfortunately, this does not give an efficient primality test: For large n no algorithm is known that efficiently factors or half-factors n 1. One of the seminal algorithmic insights of the twentieth century was that algorithms might profit from having an auxiliary input consisting of nothing but random bits. In the case of primality testing, this means that if we are willing to substitute overwhelming likelihood of being prime for provably a prime then it is possible to find an efficient algorithm. As a first try, observe that if n is composite then a n 1 should be, intuitively, a random integer modulo n. Thus we could choose several random a and report probable prime when Fermat s congruence a n 1 1 mod n holds for all a, and composite if it fails for any one of them. Unfortunately, there are positive integers called Carmichael numbers (see [9]) such that the congruence holds for all a relatively prime to n. As a second try, we take the square root of the Fermat congruence. To explain this it is convenient to first review Legendre and Jacobi symbols. An integer a is a quadratic residue modulo p if it is a nonzero square, i.e., if there is an x (not divisible by p) such that x 2 a mod p. Nonsquares are said to be nonresidues. This is encoded in the Legendre symbol ( ) a = p 0 if p divides a 1 if x is a quadratic residue mod p 1 if x is a quadratic nonresidue mod p Euler s Criterion gives an explicit congruence for the Legendre symbol ( ) a a (p 1)/2 mod p. (3) p from which the Legendre symbol can be computed reasonably efficiently, using Exp in the multiplicative group (Z/pZ). The Jacobi symbol generalizes the Legendre symbol and is defined, for an integer a and an positive odd positive integer b = p ep, by reverting to the Legendre symbol when b is an odd prime, and enforcing multiplicativity in the denominator: ( a ) = ( ) ep a. b p p 6

7 The Jacobi symbol is multiplicative in both the numerator and denominator, depends only on a mod b, obeys the famous law of quadratic reciprocity ( )( ) a b = ( 1) ((a 1)(b 1))/4, a, b odd. b a Moreover, two supplementary laws are satisfied: ( 1/b) = ( 1) (b 1)/2, (2/b) = ( 1) (b2 1)/8. These rules can be used to compute the Jacobi symbol without factoring b, along the lines of Euclid s algorithm. In fact for the Legendre symbol it is is (somewhat) more efficient to use this rather than using Exp as described above. Remark 8. Let n = F k := 2 2k + 1 be the k-th Fermat number. The reader may enjoy using Theorem 7 to show that if n = F k and 3 (n 1)/2 1 mod n then n is prime, and to prove using quadratic reciprocity that if n is prime then the congruence holds. Now we return to the problem of giving a a probabilistic polynomial time algorithm for primality. The key idea is to use Euler s congruence ( ) a a (p 1)/2 mod p. p which gives a necessary condition for p to be prime. A probabilistic algorithm is similar to an ordinary (deterministic) algorithm except that it is an extra input string of random bits which for instance, enable the algorithm to choose uniformly randomly from a finite set. Solovay-Strassen primality test Input: An integer k > 0, an odd integer n > 1, and a string of bits Output: Prime or Composite 1. For i = 1, 2,..., k Choose ( a randomly from {1, 2,..., n 1} a ( a If = 0 or a n) n) (n 1)/2 mod n then Output Composite and halt. 2. Output Prime It is clear that if the algorithm returns Composite then n is definitely composite, and some work shows that if it returns Prime then the probability that this is false (i.e., the fraction of auxiliary input bit strings giving this false answer) is exponentially small as a function of k. Remark 9. A statement about the probability of something happening is a statement about the fraction of input bit strings for which that event happens. In the future, we will omit explicit mention of the input random bits. The input string is ignored in assessing the size of the input. Remark 10. In circumstances in which it is necessary to emphasize that an algorithm is not probabilistic, the algorithm is said to be deterministic. 7

8 Theorem 11. The Solovay-Strassen algorithm returns Prime if n is prime, and returns Composite with probability at least 1 1/2 k if n is composite. Its running time is bounced by a polynomial in the size of n and log(1/ɛ) where ɛ < 1/2 k is the probability of an error. Proof. (Sketch.) The GCD and exponentiation steps can be done it at most time O(log 3 (n)) so each iteration takes polynomial time in n. If n is prime, then Euler s congruence implies that the test returns Prime. If n is composite then the algorithm will return Composite unless for each of k random choices of a lies in the subgroup ( a E(n) := {a (Z/nZ) : a n) (n 1)/2 mod n} of the multiplicative group (Z/nZ), sometimes called the group of Euler liars for the composite number n. With some work ([2]) it can be shown that E(n) φ(n)/2, so that the change of a composite number passing all k of these tests is at most 1 1/2 k. The error probability is therefore ɛ < 2 k, and the running time is k O(log 3 (n)) < log(1/ɛ) log 3 (n). There is a rich literature on primality proving (or approximations thereto). From a theoretical point of view, primality proving came to definitive conclusion in 2002 when Manindra Agrawal, Neeraj Kayal, and Nitin Saxena showed [1] that primality testing could be done in polynomial time by a deterministic algorithm. For a description of this algorithm, and algorithms currently used in practice, see [34]. Problem 12. Quadratic Nonresidues: Given an odd prime p, find a quadratic nonresidue modulo p. This simple problem illustrates stark differences between theory and practice, and deterministic and probabilistic algorithms. If p is an odd prime there are (p 1)/2 quadratic residues and (p 1)/2 nonresidues mod p, so if a mod p is nonzero, then a has a 50/50 chance of being a nonresidue. Thus there is an obvious probabilistic algorithm: repeatedly choose a at random until a nonresidue is found. With overwhelming likelihood a nonresidue will be found quickly, and thus quadratic nonresidues can be found quickly with a probabilistic polynomialtime algorithm. However, no deterministic polynomial-time algorithm is known. Nothing seems to be better than testing a = 2, 3,... until arriving at a nonresidue. Although there are heuristic grounds to think that there is a nonresidue a = O(log p) 1+ɛ ), the best that can be proved is that one finds a nonresidue for a = O(p 1/4 ), so the simple-minded search could take exponential time. It is known that if the so-called Extended Riemann Hypothesis is true then there is a nonresidue a < 2(log(p)) 2 = O(log(p)) 2 ([3]). Problem 13. Factoring: Given a positive integer n > 1, find a proper divisor m of n (a divisor m such that 1 < m < n). 8

9 Factoring appears to be much harder than primality, both in theory and practice. Trial division again gives an obvious algorithm that is impractical unless n is small. In fact, no deterministic factoring algorithm is known whose complexity is sub-exponential, i.e., less than c n for all c > 1. Factoring has fascinated mathematicians for centuries, and a vast menagerie of algorithms are known. One of the more striking ones is the so-called Pollard rho algorithm, due to John Pollard [25]. Let n be a composite integer that is not a prime power. (It is easy to check whether or not n is a perfect power by taking sufficiently accurate k-th roots for 2 k log 2 (n).) Let f : Z/nZ Z/nZ be the function f(x) = x 2 + 1, and let f k (x) = f(f(... f(x)...)) denote the k-th iterate of f applied to x. glance. Pollard s algorithm is astonishing at first Pollard ρ factoring algorithm Input: A composite n > 1, not a prime power Output: A nontrivial factor of n 1. Choose a random x {0, 1,... n 1} 2. For i := 1, 2,... g := gcd(f i (x), f 2i (x)) If g = 1, go to the next i If g = n then go to Step 1 and choose another x Else output g and halt What could possibly be going on here? The birthday paradox in elementary probability theory says that in a collection of 23 or more people it is more likely than not that two people will have the same birthday. More generally, if elements are randomly chosen, with replacement, from a set of size n, then we expect a duplication after O( n) choices [16]. Let p be an (unknown) prime divisor of n. Examples suggest that f k (x) mod p is indistinguishable from a random sequence. Assuming that this is the case, the birthday paradox implies that the sequence repeats a value after O( p) steps, after which time it cycles. Thus the sequence of values mod p has the form y 1,..., y m, y m+1,..., y m+k = y m, y m+k+1 = y m+1,.... A little calculation shows that if i is the smallest multiple of k that exceeds m then y i = y 2i. In the context of the Pollard ρ algorithm this means that p divides gcd(f i (x), f 2i (x)). Thus the GCDs in the algorithm will sooner or later be divisible by p. One catastrophe that can happen is that, by some strange coincidence, all primes dividing n happen to divide the GCD at the same time, though this is very unlikely in practice. Many further details (and optimizations) of this charming algorithm can be found, e.g., in [16] and [10]. The complexity of the algorithm is O(n 1/4 ), which is unfortunately exponential as a function of the input size O(log(n)). 9

10 In the last 20 years, probabilistic factoring algorithms have emerged that factor n in time L n [1/2; 1] in practice, where L n [a; c] = exp ( (c + o(1))(log(n)) a (log log(n)) 1 a). (the o(1) goes to 0 as n goes to infinity). This function interpolates between polynomial time, for a = 0, and exponential time, for a = 1, and its peculiar shape seems to arise from formulas for the density of smooth numbers [14], where a number is y-smooth if all of its prime factors are less than or equal to y. Most of these algorithms are heuristic in the sense that proofs of their correctness rely on plausible hypotheses that have not been proved, but work very well in practice. One of the most important of these algorithms is the Elliptic Curve Method, due to Hendrik Lenstra [23] [27] which is an L[1/2; 1] algorithm that that has the virtue, of considerable significance in some applications, that it finds smaller factors faster. More recently, John Pollard described an algorithm for factoring numbers of the form n = a b k + c, k large. This was later generalized to arbitrary positive integers n, and is called the Number Field Sieve; its heuristic complexity is L n [1/3; 4/3 2/3 ] = L n [1/3; ]. The unproved assertions on which this complexity is based are natural statements concerning the proportion of values of polynomials that are smooth; these seem true in practice but their proof seems beyond currently known techniques. Details of this algorithm can be found in [21] [40]. Problem 14. Discrete Logarithms: Given an element x of an explicitly represented finite cyclic group G, and a generator g of that group, find a nonnegative integer k such that x = g k. The difficulty of the discrete logarithm problem (DLOG) depends on the size of the group and on the specific explicit representation of the group. The group G = Z/nZ = {0, 1, 2,..., n 1} of integers modulo n under addition is cyclic, and the discrete logarithm problem is easy, with the usual representation. The discrete logarithm problem for the multiplicative group G = (Z/pZ) = {1, 2, 3,..., p 1} of integers modulo a prime (represented naturally) is hard, and it is thought that its difficulty is comparable to the difficulty of factoring an integer of the size of p. The best known algorithm has (heuristic) complexity L p [1/3; 4 3 2/3 ] see [26] and [29]. Remark 15. Interest in the DLOG problem has been stimulated by cryptographic applications, e.g., the famous Diffie-Hellman protocol: If A and B want to have a public conversation which ends with them sharing a secret that no onlooker could reasonably discover, then they start by (publicly) agreeing on a suitable cyclic group G of order n together with a generator g of that group. Then A chooses a random integer a < n, and communicates g a to B, in public. Similarly B chooses a random integer b and transmits g b to A over a public channel. They can then each privately compute a joint secret s = (g a ) b = (g b ) a. The most obvious way for an eavesdropper to defeat this is to intercept g a, solve the implicit DLOG problem to find a, to intercept g b and compute s = (g b ) a. More generally, 10

11 the eavesdropper can succeed if he or she can find g ab knowing g, g a, and g b. No efficient algorithm to do this is known if G is a large cyclic subgroup of prime order in (Z/pZ) for suitable p, or for a large cyclic subgroup G of the group of points E(F p ) on a suitable elliptic curve E over a finite field F p := Z/pZ. The representation of a cyclic group in the group of points of an elliptic curve seems particularly opaque, and in this case no sub-exponential discrete logarithm algorithms are known at all. For details on these cases, see [26], [27], [29]. It is known that the difficulty of the abstract discrete logarithm problem in a group is not much greater than the difficulty of the problem in the largest cyclic subgroup of prime order. In the case of the multiplicative group G = (Z/pZ) of order p 1 it is therefore customary to choose a prime p such that p 1 has a large prime divisor q, and to choose G to be the subgroup of order q. Similarly, in the case of elliptic curves it is customary in cryptographic applications to choose an elliptic curve E such that the order of E(F p ) has a large prime divisor. Discrete logarithms in a cyclic group of order 2 n give an example of this principle. Let g be a generator of a cyclic group G of order 2 n. There is a chain of subgroups 1 = G 0 G 1 G 2 G n 1 G n = G where G m has 2 m elements. To find the logarithm of a G with respect to g, note that a 2n 1 is of order 1 or 2. In the first case, a lies in G n 1. In the second case, ag lies in the subgroup. In either case we recurse. This gives an efficient discrete logarithm problem cyclic groups whose order is a power of two. Problem 16. Square Roots Modulo a Prime: Given an odd prime p and a quadratic residue a, find an x such that x 2 a mod p. We start by showing how to efficiently reduce this problem to Quadratic Nonresidues. This means that modular square roots can be found once a quadratic nonresidue is known. Let a be a quadratic residue. Write p 1 = 2 t q, where q is odd. The element a q lies in the subgroup G of (Z/pZ) of order 2 t, and b = g q is a generator of that group. By the remark above on discrete logarithms in cyclic groups whose order is a power of 2, we can efficiently solve the discrete logarithm problem a q = b k. Note that k is even since a (p 1)/2 1 mod p. Simple calculation shows that x = a (p q)/2 b k/2 is a square root of a: x 2 = a (p q) b k = a (p q) a q = a p a mod p. The running time of the above procedure depends on t, i.e., the power of 2 that divides p 1. The conclusion is that square roots modulo p can be found efficiently if quadratic nonresidues can be found efficiently; i.e., the problem is easy in practice, easy theoretically if probabilistic algorithms are allowed, and hard theoretically if only deterministic algorithms are allowed. 11

12 More recently, René Schoof discovered a deterministic polynomial time algorithm [31] for finding square roots modulo a prime, using elliptic curves (!). In practice, This algorithm is not competitive with the probabilistic algorithms above since the exponent on log(p) is large. However, Schoof s paper has had an enormous impact on the study of elliptic curves over finite fields [27], since it also pioneered techniques for finding the order of the group E(F p ). Problem 17. Modular Square Roots: Given an integer n and an integer a, determine whether a is a square modulo n, and find an x such that x 2 a mod p if x exists. If the prime factorization of n is known, then the algorithm above can be combined with Hensel s Lemma and the Chinese Remainder (discussed later) to find a square root of a modulo n. However, the working algorithmic number theorist is often confronted with integers n whose prime factorization is unknown. In this case, no efficient modular square root algorithm is known. In fact, more is true: Modular Square Roots is, in a sense to be made precise shortly, is equivalent to Factoring. The argument referred to outlines one half of this equivalence that an efficient factoring algorithm gives an efficient algorithm for finding modular square roots. Suppose, conversely, that we have an efficient algorithm for Modular Square Roots. To factor n, first check that it is odd and not a perfect power. Then choose a random y and apply the efficient Modular Square Roots algorithm to a = y 2 mod n to get an x such that x 2 y 2 mod n. Any common divisor of x and y is a factor of n, so assume that x and y have no common divisor larger than 1. If p is a factor of n then p divides x 2 y 2 = (x y)(x + y). In addition, it divides exactly one of the factors x y or x + y (if it divides both, it would divide their sum 2x and their difference 2y). If y is random, and the algorithm for Modular Square Roots returns a random square root of a, then p has a 50/50 chance of dividing x + y or x y. This is true of any other prime factor q, and there is a 50/50 chance that p and q will divide different factors. In that case, greatest common divisor gcd(x y, n) will be a proper factor of n. If this fails, try again by choosing another random y. After k choices, the probability that n remains unfactored is 2 k. Thus Factoring and Modular Square Roots are equivalent in difficulty in practice. Remark 18. Replacing square roots by e th roots for e > 2 leads to a problem closely related to the RSA cryptosystem, perhaps the most famous of all public-key cryptographic systems. Let n = pq be the product of two primes, and G = (Z/nZ). The RSA cryptosystem uses exponentiation as a mixing transformation on G. If e > 1 is an integer relatively prime to (p 1)(q 1) then the encryption map E : G G defined by E(x mod n) = x e mod n 12

13 is a bijection that can be computed efficiently using Exp. The decryption mapping is D(y) = y d where the integer d is defined by the congruence ed 1 mod (p 1)(q 1). The decryption exponent d can be found efficiently using the Extended Euclidean Algorithm described in the next section. If if n and e are chosen suitably, then finding D(y) without knowing p and q requires the solution of a modular e th roots problem. It is plausible that this is equivalent to factoring, but no proof of this is known. Problem 19. Bounded Modular Square Roots: Given an integer n and integers a and b, determine whether there is an integer x such that x < b and x 2 a mod n. It may seem somewhat peculiar to require that the square root be below a fixed bound. In fact, it turns out that this makes the problem (probably) much harder than Modular Square Roots it is a so-called NP complete problem. Briefly, a decision problem is in P if there is a polynomial-time algorithm for it. A decision problem is in NP if there is an algorithm f(x, y) in P that takes an instance x of a problem and a certificate y as input, such that for every yes instance x there is a certificate y such that f(x, y) returns yes. Bounded Modular Square Roots is certainly in NP : given an instance (a, b, n), the integer x is a certificate: the verifications that x < b and x 2 a mod n can be done in polynomial time. Membership in NP doesn t imply that finding the certificate is easy, but merely that it exists; if certificates could be found easily the problem would be in P. Finally, a decision problem is NP -complete if it at least as hard as any other problem in NP, in the sense that any other problem in NP can be reduced to it. The notion of reduction needs to be defined precisely, and involves ideas similar to the equivalence of Factoring and Modular Square Roots sketched above. Finally, a discussion of the complexity of number-theoretic problems would be incomplete mentioning a problem for which no algorithm exists whatsoever. Problem 20. Diophantine Equations: Given a polynomial f(x 1,..., x n ) with integral coefficients in n variables, is there n-tuple of integers x such that f(x) = 0? A famous result of Matiysevich, building on work of Julia Robinson, Martin Davis, Hilary Putnam, and others, shows that this is an undecidable problem [20], [11]. In other words, there does not exist an algorithm, efficient or otherwise, that determines whether a diophantine equation is solvable. 3 Euclid s Algorithm Euclid s algorithm, given above, has been an extraordinarily fertile source of algorithmic ideas, and can be viewed as a special case of famous modern algorithms, including Hermite normal form algorithms, lattice basis reduction algorithms, and Gröbner basis algorithms. 13

14 The GCD of integers a and b is the unique nonnegative integer d such that dz = az + bz. Here dz denotes the principal ideal in the ring of integers consisting of all multiples of d, and az + bz := {ax + by : x, y Z}. To prove that d exists, it suffices to consider nonzero a and b, in which case d can be taken to be the least positive element of az+bz. Indeed, if z = ax + by is an arbitrary element of az + bz then z = qd + r, 0 r < d. Since r = z qd is a nonnegative element of az + bz, it follows that r = 0, and z is a multiple of d as claimed. Assuming that a and b are nonzero we have proved that d = gcd(a, b) is the smallest positive integral linear combination of a and b. One can also prove that d is the largest integer that divides both a and b, that it is the positive divisor divisible by all other divisors, and that it can be given in terms of prime factorizations by gcd(a, b) = p p min(ap,bp) if a = p p ap, b = p p bp. The Greeks would have been more comfortable with the following geometric definition of the GCD: if a > b > 0 then consider a rectangle of width a and height b. Remove a b by b square from one end of the rectangle. Continue removing maximal subsquares (squares with one side being a side of the rectangle) until the remaining rectangle is a square. The side length of the remaining square is the common unit of measure of a and b, i.e., their GCD. For instance, if a = 73 and b = 31, then the removal of two maximal subsquares leaves an 11 by 31 rectangle, the removal of two further maximal squares leaves a 11 by 9 rectangle, the removal of one maximal subsquare leaves a 2 by 9 rectangle, the removal of four maximal subsquares leaves a 2 by 1 rectangle, and the removal of one maximal subsquare leaves a unit square. This procedure makes sense for arbitrary real numbers, leading the notion of a continued fraction; this process terminates for an a by b rectangle if and only if a/b is a rational number. 3.1 Extended Euclidean algorithm In many applications of the Euclidean algorithm the identity az + bz = dz needs to be made explicit; i.e., we need to find x and y such that ax + by = d = gcd(a, b). To do this it suffices to augment Euclid s algorithm given earlier. Extended Euclidean Algorithm (Eea) Input: Positive integers a and b Output: x, y, z where z = gcd(a, b) and z = ax + by {X, Y, Z} := {1, 0, a} {x, y, z} := {0, 1, b} While z > 0 14

15 q := Z/z {X, Y, Z, x, y, z} := {x, y, z, X qx, Y qy, Z qz} Return X,Y,Z Simple algebra shows that at every step ax + by = Z, ax + by = z (4) so that the triples encode elements of the ideal az + bz. Moreover, Z qz = Z rem z so that the Z recapitulates the ordinary Euclidean algorithm, and this augments that algorithm as claimed. The execution of the algorithm on input a = 73 and b = 31 is summarized in the following table, where each row describes the state of the computation just after q is computed. X Y Z x y z q Thus gcd(73, 31) = 1 and ( 14) = 1. The reader should notice that from the third row onwards X and Y have opposite signs, and their values increase in absolute value in successive rows. It isn t hard to verify that (for positive a and b) this is always the case. What is the running time of this algorithm? It can be shown that the number of arithmetic operations required is linear in the input size. Briefly, the argument is as follows. The worst case is when the quotients q are always 1. An induction argument shows that if this is the case and n iterations of the loop are required then a F n+2, b F n+1, where F n denotes the n-th Fibonacci number (F 1 = F 2 = 1, F n+1 = F n + F n 1 ). Using F n = O(ϕ n ), ϕ = (1 + 5)/2, it follows that n = O(log(a)), as desired. A more careful accounting of the bit complexity, using the fact that the size of the integers decreases during the course of the algorithm, shows that the bit complexity is O((log(a)) 2 ). On occasion it is useful to formulate the Euclidean algorithm in terms of 2 by 2 matrices. Say that the matrix associated to a row X, Y, Z, x, y, z, q is [ ] X Y M :=. x y Then by (4) M [ a b ] = [ Z z ]. 15

16 The matrix M of the next row is easily checked to be [ ] 0 1 M = M. 1 q Iterating this in the specific calculation above gives [ ] [ ] [ ] [ ] [ = ] [ ] [ ]. (5) Now we consider an application of the Eea. Example 21. The inverse of an element (Z/nZ) can be computed using the Eea. Indeed, if gcd(a, n) = 1 then there are x, y such that ax + ny = 1, which says that (a mod n) 1 = x mod n. If n = p is a prime, then Fermat s little theorem suggests another way to compute inverses using Exp: (a mod p) 1 = a p 2 mod p. How do these two ideas compare? Exp requires O(log(p)) multiplications. If classical arithmetic is used (i.e., multiplication of k-bit integers takes time O(k 2 )), then inversion via computing a p 2 has bit complexity O(log(p) 3 ) since the integers are all of size O(log(p)). On the other hand, the Eea version has bit complexity O(log(p) 2 ). If fast arithmetic is used, the algorithm using Exp takes time O(log(p) 2+ɛ ), for any ɛ > 0, and the Eea takes time O(log(p) 1+ɛ ), where the ɛ in the exponent comes from higher order logarithmic factors in the fast arithmetic complexity estimates. All of the ideas in the Eea apply to any commutative ring in which division with smaller remainder exists. For instance, the ring F [x] of polynomials over a field F admits a division algorithm for which the remainder polynomial has smaller degree than the divisor. And the ring Z[i] := {a + bi : a, b Z} of Gaussian integers inside the complex numbers has this property if size is the absolute value, and we take the quotient in ring to be the result of taking the quotient in the complex numbers and rounding to the nearest integer. 3.2 Continued fractions The partial quotients of the continued fraction expansion of a real number α are the terms of the (finite or infinite) sequence a 0, a 1,... defined as follows. Continued Fraction of a Real Number Input: A real number α Output: A sequence a i of integers α 0 := α For i := 0, 1,... Output a i := α i Halt if α i = a i α i+1 := 1/(α i a i ) 16

17 Example 22. If α = 73/31 the partial quotients are 2, 2, 1, 4, 2. If α = 11 the partial quotients are ultimately periodic: 3, 3, 6, 3, 6, 3, 6,.... The reader should verify that the above procedure terminates, so that the sequence of partial quotients is finite, if and only if α is a rational number. Although written as if was an algorithm, this is a mathematical construct rather than an algorithm, for several reasons: (a) it may fail to terminate, (b) real numbers can not be represented in finite terms suitable for a computer, and (c) testing real numbers for equality is (algorithmically) problematic. The relationship between α i and α i+1 can be written as α i = a i + 1 α i+1. (6) Iterating this for α = 73/31 gives the finite continued fraction = = [2; 2, 1, 1, 4, 2] where [a 0 ; a 1,..., a n ] denotes the value of a finite continued fraction with partial quotients a i. The values of the successive partial continued fractions of a real number are called convergents of the continued fraction; e.g., the convergents of the continued fraction for 73/31 are [2] = 2 [2; 2] = 9/2 [2; 2, 1] = 11/9 [2; 2, 1, 4] = 31/11 [2; 2, 1, 4, 2] = 73/31. they represent quadratic irrational numbers a + b d, where a, b, d are rational numbers (and d is a nonsquare). For instance, if α denotes the purely periodic continued fraction [3; 6, 3, 6, 3, 6,...] then α = α Clearing fractions gives 2α 2 6α 1 = 0, i.e., α = (3 + 11)/2. Proposition 23. Let [a 0 ; a 1, a 2,...] be the continued fraction of a real number α, and let α n = [a n ; a n+1,...] be as above. Define sequences x i, y i recursively by x 1 = 0, x 0 = 1, x n+1 = a n+1 x n + x n 1, n 0 (7) y 1 = 1, y 0 = a 0, y n+1 = a n+1 y n + x n 1, n 0. 17

18 Then x n and y n are coprime for all n, and y n /x n = [a 0 ; a 1,..., a n ] is the n-th convergent of the continued fraction. Moreover, α = y nα n+1 + y n 1 x n α n+1 + x n 1. (8) Remark 24. There are several commonly used notations for convergents; the rationale for the choice here will become evident later. Proof. An easy induction argument using the recursion shows that x n y n 1 x n 1 y n = ( 1) n. In particular, x n and y n are coprime. The fact that y n /x n is a convergent follows from an induction argument: y n+1 x n+1 = a n+1y n + y n 1 a n+1 x n + x n 1 = a n+1(a n y n 1 + y n 2 ) + y n 1 a n+1 (a n x n 1 + x n 2 ) + x n 1 = (a n + 1/a n+1 )y n 1 + y n 2 (a n + 1/a n+1 )x n 1 + x n 2 = [a 0 ; a 1,..., a n + 1 a n+1 ] = [a 0 ; a 1,..., a n, a n+1 ]. Note the subtlety that the induction assumption is applied to the penultimate continued fraction, and that its earlier convergents are identical to the earlier convergents of the final continued fraction. The last statement in the theorem can also be proved by induction. As with the Euclidean algorithm, it is sometimes convenient to formulate continued fractions in terms of 2 by 2 matrices, e.g., defining [ ] [ ] ak 1 yk y M k :=, P 1 0 k := k 1 (9) and observing that the Proposition says that P k = M 0 M 1 M k. A careful look at the convergents of the continued fraction of 73/31 reveals that they recapitulate Euclidean algorithm! This is easy to verify using the matrix perspective and the identity Indeed, multiplying the relation [ a [ ] 1 = [ a ] [ ] 1 = P x k ]. x k 1

19 repeatedly on the left by the M 1 k gives the the earlier EEA formula (5), and the Eea formula can be reversed in a similar way to give a continued fraction. Note also that the matrix formulation recovers y n x n 1 y n 1 x n = ( 1) n+1 (10) since the determinant of each M k is 1 and det(p n ) = ( 1) n Rational Approximation Let α, α n, a n, y n, x n be as in the previous section. Dividing (10) by x n x n 1 gives y n x n y n 1 x n 1 = ( 1)n+1 x n x n 1. Iterating this identity and using y 0 /x 0 = a 0 gives the marvelous formula y n = a = 1 + ( 1) n 1. (11) x n x 0 x 1 x 1 x 2 x n 1 x n Since the x n = a n x n 1 +x n 2 are strictly increasing it follows that the convergents y n /x n converge to a real number α. Proposition 25. With the above notation, α = α. For even n, the convergents increase and approach α from below; for odd n the convergents decrease and approach α from above. Both y n /x n α and y n x n α alternate in sign, and decrease in absolute value. Moreover, 1 x n (x n + x n+1 ) < α y n < 1. x n x n+1 Proof. To show that α = α, use (8): α y n = y n α n+1 + y n 1 y n x n α n+1 + x n 1 = ( 1) n+1 x n (x n α n+1 + x n 1 ) 1 (12) x n x n+1 x n x n since α n+1 α n+1 = a n+1. All of the other statements follow (with considerable algebraic juggling) from (11) and basic facts about alternating series. In order to understand the extent to which the y/n/x n are superb approximations α by rational numbers, the following definition is convenient. If (x, y) is a point in the XY -plane, then the distance from (x, y) to the line Y = αx along the vertical line X = x, is y αx. Say that (x, y), x > 0 is a best approximator to α if x and y are relatively prime and (x, y) has the smallest vertical distance to Y = αx among all integer points with denominator at most x, i.e., y αx < v uα for all integers u, v with 0 < u < x. Note that if x is fixed and y is the nearest integer to xα then y αx < 1, i.e., y/x α < 1/x. The following theorem says that convergents give rational approximations that are better by an order of magnitude in that y/x α < 1/x 2, and, moreover, that any sufficiently good rational approximation comes from a convergent. 19 x n

20 Theorem 26. Let α be a real number, and (x, y) a pair of coprime integers with x > 0. Then: (a) The pair (x, y) is a best approximator to α if and only if y/x is a convergent in the continued fraction expansion of α. (b) Any best approximator (x, y) to α satisfies y x α 1 < x. 2 (c) If y x α 1 < 2x 2 then (x, y) is a best approximator to α. The convergents in the continued fraction of α are lattice points (points with integer coordinates) in the plane, and they are unusually close to the line Y = αx. The points alternate back and forth over the line, and each point (x, y) is closer to the line than all points with smaller X. Since any best approximator y n /x n comes from a convergent, it follows that the open parallelogram {(x, y) : 0 < x < x n+1, y αx < y n αx n } contains no lattice points other than the origin. If you are standing at the origin of the plane looking in the direction of y = αx, then the lattice points (x, y) Z 2 that are closest to the line occur alternately on both sides of the line, and become very close to the line. This makes it difficult to illustrate this with graphically, since the convergents approximate so well that they quickly appear to be on the line. In the following figure, we help the reader by holding a magnifying glass over three points, in the case where the line is Y = αx for the golden ratio α = φ = [1; 1, 1, 1, ]; the coordinates of the convergents (F n, F n+1 ) are consecutive Fibonacci numbers. Now we prove the theorem. Proof. By the last inequality in Theorem 25 a convergent of the continued fraction satisfies α y n x n < 1 < 1. x n x n+1 x 2 n Therefore (b) follows once (a) has been proved. To prove (a), assume that (x, y) is an arbitrary pair of coprime integers with x < x n. Define a, b by the equation [ ] [ ] [ ] [ ] a x = Pn 1 yn y = n 1 x. b y y 20 x n x n 1

21 Figure 1: Convergents to the golden ratio 21

22 Both a and b are integers since det(p n ) = ±1; in fact, explicit algebra gives a = ( 1) n+1 (x n 1 y y n 1 x), b = ( 1) n+1 ( x n y + y n x). Since x < x n, and x n, y n are coprime, it follows that b is nonzero. Moreover, the equation x = ax n + bx n 1 shows that a and b are of opposite sign or a = 0. If a = 0 then the coprimality of x n 1 and y n 1 implies that x is a multiple of x n 1. Thus (x, y) is not a best approximator ((x n 1, y n 1 ) has a smaller denominator), and not a convergent. If a is nonzero then y xα = (ay n + by n 1 ) (ax n + bx n 1 )α = a(y n x n α) + b(y n 1 x n 1 α) implies that y xα y n 1 x n 1 α (since a and b, and y n x n α and y n 1 x n 1 α, have opposite signs). From Proposition 25 y n x n α < y n 1 x n 1 α y xα so (x n, y n ) is a best approximator, proving half of (a). On the other hand, if x n 1 < x < x n, the displayed inequality shows that (x, y) is not a best approximator, proving the other half of (a). To prove (c), suppose that a coprime pair (x, y) satisfies y xα < 1/(2x). For a coprime pair (u, v) with 0 < v < y, 1 yu xv = v(y xα) y(v uα) v(y xα) + y(v uα). From v y xα < v/2x < 1/2 it follows that v uα > (y/v) y xα > y xα which shows that (x, y) is a best approximator and therefore a convergent, as desired. Part (c) of the theorem will play a critical role at two points in the sequel. 4 Modular Equations The goal of this section is to consider the problem of solving polynomial congruences, i.e., given n Z +, and f(x) Z[X], find x Z/nZ such that f(x) 0 mod n. We sequentially consider the cases in which n a prime, prime power, and arbitrary positive integer. 22

23 4.1 Equations Modulo Primes Congruences modulo a prime p are more or less equivalent to finding roots of polynomials in the field F p := Z/pZ. According to Fermat s Little Theorem, every element of F p is a root of the polynomial x p x; comparing degrees and leading coefficients shows that x p x = a F p (x a) F p [x]. It follows that if f(x) F p [x] is an arbitrary polynomial then gcd(f(x), x p x) is the product of all linear factors x a where a is a root of f. Similarly the roots of x (p 1)/2 = 1 are the quadratic residues modulo p, so x (p 1)/2 1 = a R p (x a) F p [x] where R p denotes the set of quadratic residues modulo p. This suggests the following elegant algorithm for finding all roots of a polynomial in F p [x]. Cantor Zassenhaus(f, p) Input: A prime p and a polynomial f F p [x] Output: A list of the roots of f 1. f := gcd(f, x p x) 2. If f has degree 1, Return its root 3. Choose b at random in F p g := gcd(f(x), (x + b) (p 1)/2 1) If 0 < deg(g) < deg(f) then Return Cantor Zassenhaus(g) Cantor Zassenhaus(f/g) Else, go to Step 3 The correctness follows from the earlier remarks at Step 3 f(x) is a product of distinct linear factors x a, and then g is the product of all x a such that a + b is a quadratic residue. If b is random then we would expect about half of factors of f to divide g. Moreover, the algorithm takes (probabilistic) polynomial time since the input size for a (general) polynomial over F p is n log(p) and all operations take time bounded by a polynomial in n and log(p). 4.2 Equations Modulo Prime Powers The next case is prime powers. The key idea originates with Kurt Hensel and gives an explicit construction, in favorable situations, of a lifting of a solution to f(x) 0 mod p n to a solution modulo p 2n. Perhaps the most basic nontrivial example is f(x) = x 2 a modulo p k, p odd. If x 2 a mod p then simple algebra shows that y 2 a mod p 2, where y = (x 2 +a)(2x) 1 mod p. This is just Newton s Lemma from calculus: y = x f(x) f (x) = x x2 a 2x 23 = x2 + a 2x.